Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Cisco
(page 1 of 6)

It has passed somewhat unnoticed but Google have made available to us their free, accessible to all NTP servers. I have been using their DNS servers for years without any issues so will trust their NTP ones as well. So far works just fine. For a single server we can use time.google.com and for multiple servers, even though they all seem to be in the same class C yet I get different latencies - from 85 msec up to 185 msec, we can use time1.google.com, time2.google.com, time3.google.com, time4.google.com .

I don’t work on the command line of CUCM often, if ever – you may add, but when the need arises here is the short list of commands to keep. A little reminder – the latest (starting version 5 and on) of Cisco CUCM software is Linux (namely Red Hat) based, which of course includes the terminal access – be it a physical via console or a network one over ssh .You create a username/password for the terminal during the CUCM installation.As Cisco do not want us to mess with the underlying OS, our interaction is limited to a very restricted kind of shell . So you don’t have access to the Linux commands, but you do have a predefined set of CUCM commands of which I present most useful ones here.I run the examples below on a MCS hardware server so your output may vary.

– Changing password for yourself/another user . Know that it is here, but do not play with it risking to lock yourself out of the server.

Today I was surprised to hear from someone who just took one of the CCNP Security exams that they still test for Reflexive access-lists - what a nostalgy. I was sure it has long been ousted by ip inspect and Zone Based Firewall, but no - it is still tested and still available in the newest IOS images of at least ISR routers. If you, like me, are rusty on its config, here it is how to allow from inside outbound everything:

It is not exactly stateful - what happens is that router dynamically adds non-stateful entries in INBOUND access list that mirror the passing traffic, expiring it after some time. In doing so Cisco router looks only on destination/source IP address and port.

Once it was a nice-to-have configuration that most ISPs in the world ignored anyway, but today it is a must if you are planning to advertise your networks via BGP through your uplink provider – your route object in the AS whois database of the uplink provider. If not – you will happily advertise your networks, the uplink provider will duly advertise them to its uplink peers, which will check AS registry database of your provider and not finding this route object will silently drop the advertising.
Of course it is duty of your transit ISP provider to update their records with your network, but after all, you are the one most interested – so as they say in Russian ” Доверяй но проверяй ” , and here is how to do it: whois -h whois.ripe.net — ‘-a -r -i or -T route AS1680’ | grep route
In this example I assume your uplink provider is Netvision with AS1680 , replace AS number with the correct one.
Output will look like:
route: 109.186.0.0/16
route: 109.253.0.0/16
route: 117.121.245.0/24
route: 138.134.0.0/16
route: 147.161.0.0/16
…

If you don’t find in such listing your network – Houston, you have a problem here.

Yesterday I had to extract some data from a CDR report for a client, namely call start time, its duration and the called number. And while I am sure Google has zillion scripts to be found, it was much faster to hack this one-liner .
The script extracts the following fields from the CDR report in this order:dateTimeOrigination – for outgoing calls it is the time the device goes off hookcallingPartyNumber – initiator of the callfinalCalledPartyNumber – the reached/dialed number (after forwarding if any)duration – duration of the call
The extracted data is placed in CSV format to be easily imported into Microsoft Excel.
Enjoy. Any questions – feel free to ask here.

If you didn’t notice Cisco IOS routers can serve as CA servers as well. The example configurations are easy to find on the cisco.com but the only trick to know when enrolling Cisco VPN client with IOS CA is the syntax you put as url – the string should look: http://192.182.12.1:80/cgi-bin/pkiclient.exe
I attach below screenshot so you can see what I mean.
Some references as well .

Some great products get unfair treatment for unclear reasons. One such gear is Cisco IPS sensor 4200 appliance, that while doing its job doesn’t get much attention, fame and even worse proper relation on Cisco.com documentation site. The documentation exists but scarce , examples of configuration – close to none, screenshots – go find. You got the picture – and here comes my humble effort to introduce the sensor to wider audience of this website.
First is the initial configuration using the console. The software used is 6.1 , sensor hardware is IPS 4235 . I am doing the config NOT running built-in #setup dialog.
Enjoy and have a nice day.
Yuri

Here is a feature that will save you time and frustration in many possible scenarios – especially when managing Cisco routers in multi-user environment. Once enabled archiving saves periodically copy of the running configuration of IOS router to the flash or remote server. So
next time something stops working after changes and you don’t know which one caused this – just revert back to the working configuration that is readily available.